Publication Date

Spring 2011

Degree Type

Master's Project

Degree Name

Master of Science (MS)


Computer Science

First Advisor

Mark Stamp

Second Advisor

Chris Pollett

Third Advisor

Johnny Martin


meta morphic virus detection code emulation


In parallel with improvements in anti-virus technologies, computer virus writers have developed innovative viruses that are challenging to detect. Metamorphic viruses change their appearance from one generation to another by using various code obfuscation techniques. Today, signature detection is the most common method used in anti-virus products, but well designed metamorphic viruses cannot be detected using signatures. Hence, there is a need for a more robust anti-virus technology.
To counter metamorphic virus, a very successful tool based on hidden Markov models (HMM) has been previously developed. This tool was able to detect all hacker produced metamorphic viruses on which it was tested. However, a weakness of this tool was exploited to develop an advanced metamorphic virus generator. These morphed viruses, which were not detected by the HMM based technique or standard signature-based detection, rely on carefully selected dead code insertion for their success.
In this project, we have created a code emulator designed specifically to detect dead code in any virus file. The output of this code emulator is then used to enhance HMM-based detection of metamorphic viruses. We test our emulator on the previously mentioned metamorphic generator, using the existing HMM detector to determine the quality of our results.